Capabilities are a different way to view security than the access control lists (ACL's) many people are familiar with. Capabilities mesh particularly well with object-oriented systems like Squeak, because plain old objects can be capabilities and thus form the backbone of a security policy. Python's security model is based on capabilities. In fact, Unix's security, while based on ACL's at the top-most level, uses file descriptors as capabilities when more fine-grained security is desired. There is a lot of interesting information about capabilities at http://www.erights.org.

Lex Spoon has cleaned up Squeak so that an object may be treated as a capability without unwanted privileges escaping. He didn't implement very many interfaces, but he did lock down most of the worst holes.

Since these changes are so minimal, perhaps they can be included in the standard VM one day....

To get an Islands image to play in, you should grab lex-sandbox.zip. If you want to make your own image, start with Squeak 2.9 and use islands.zip. There is a file "islands-boot.st" in that file which should load everything for you. Be aware that it takes a LONG time, because every class gets recompiled. (Anyone want to change this mechanism? The issue is that the system wants to keep track of which methods are privilaged to use things like thisContext, and which are not, and this is currently done by adding an instance variable to all classes.)

Plans

Here are my (Lex's) broad plans for Islands in the near future, in order of priority. Of course, it's open source, so anyone should feel free to do what they like!

Morphic Proxy

The most important thing to do, I think, is to get a morphic proxy working so that code on an island can display outside to a Morphic world. This is already mostly implemented, but it is extremely slow. Having an isolated Morphic would be an application many people can use and basically would make Islands a lot cooler.

Example Usages

It would be wonderful to generate some example usages of the system to compare in particular with E. The Mint example would be one thing to try; I emailed the list with my effort at it, but it wasn't compiled and tested. There are likely some small details that need to be cleaned up, before it will work.

Static Binding of Classes

Mark Miller has argued persuasively that classes should be statically bound. To do this, however, you need to be able to limit static scope of class accesses, something Squeak is poor at right now. At any rate, this area seems like the third priority in the future of Islands.